tags:

views:

3827

answers:

5
+8  Q: 

How to choose an AES encryption mode (CBC ECB CTR OCB CFB)?

Which of them are preferred in which circumstances?

I'd like to see the list of evaluation crtieria for the various modes, and maybe a discussion of the applicability of each criterion.

For example, I think one of the criteria is "size of the code" for encryption and decryption, which is important for micro-code embedded systems, like 802.11 network adapters. IF the code required to implement CBC is much smaller than that required for CTR (I don't know this is true, it's just an example), then I could understand why the mode with the smaller code would be preferred. But if I am writing an app that runs on a server, and the AES library I am using implements both CBC and CTR anyway, then this criterion is irrelevant.

See what I mean by "list of evaluation criteria and applicability of each criterion" ??

This isn't really programming related but it is algorithm related.

+3  A: 

Have you start by reading the information on this on Wikipedia - Block cipher modes of operation? Then follow the reference link on Wikipedia to NIST: Recommendation for Block Cipher Modes of Operation.

KTC  2009-08-03 05:21:21
+5  A: 
  1. Anything but ECB.
  2. If using CTR, it is imperative that you use a different IV for each message, otherwise you end up with the attacker being able to take two ciphertexts and deriving a combined unencrypted plaintext. The reason is that CTR mode essentially turns a block cipher into a stream cipher, and the first rule of stream ciphers is to never use the same Key+IV twice.
  3. There really isn't much difference in how difficult the modes are to implement. Some modes only require the block cipher to operate in the encrypting direction. However, most block ciphers, including AES, don't take much more code to implement decryption.
  4. For all cipher modes, it is important to use different IVs for each message if your messages could be identical in the first several bytes, and you don't want an attacker knowing this.
Theran  2009-08-03 05:24:01
To support your Point 1 (+1 for that btw): http://www.codinghorror.com/blog/archives/001267.html
Michael Stum  2009-08-03 05:55:28
You shouldn't start CTR with a random number, since that has a small-but-increasing chance of colliding with part of a previous message. Instead monotonically increment it (this may mean remembering where you are up to in persistent storage), and re-key if (when) you run out of counter.
caf  2009-08-03 11:27:14
@Theran - point 2 - a different random number for each message? No, I think that is not correct. I am under the impression that starting the counter always at zero is just fine. @caf, I think when Theran says "message" he does not mean "block". Of course the counter gets incremented for each block of a particular message that run through the cipher. What Theran seems to be saying is that each message must start with a different initial value for the counter. And I think this is not correct.
Cheeso  2009-08-03 11:51:58
re: point 3 - I have read papers that say, for example, CTR mode is smaller to implement because the decrypt is the same transform as encrypt. Therefore half the code. But as I say, not relevant on a server-class machine.
Cheeso  2009-08-03 11:53:19
Yes, I misspoke. It's the IV/nonce that should change for CTR mode, but that gets combined with the counter before encrypting, so I tend to just think of it as a random starting point for the counter. As far as only having to use the cipher in the encrypting direction saving space, for many ciphers you only have to reverse the subkeys to decrypt. AES is a bit bulky for decrypting, but it's not like you can implement it on a uC with 128 bytes of RAM anyways. The subkeys take more RAM than that!
Theran  2009-08-04 03:50:29
A: 

I know one aspect: Although CBC gives better security by changing the IV for each block, it's not applicable to randomly accessed encrypted content (like an encrypted hard disk).

So, use CBC (and the other sequential modes) for sequential streams and ECB for random access.

chris166  2009-08-03 05:34:01
Ah, right, of course. The CBC XORs the prior ciphertext block with the plaintext block before encryption. The first block uses the IV. So to decrypt any block, you have to have successfully decrypted all prior blocks. ok, that's a good insight.
Cheeso  2009-08-03 11:36:05
No, you only have to have access to the prior _ciphertext_, which doesn't require decrypting any previous blocks.
caf  2009-08-03 13:57:21
Ah, well that means CBC is just fine with random access, doesn't it?
Cheeso  2009-09-18 01:37:05
+10  A: 

  • ECB should not be used if encrypting more than one block of data with the same key.

  • CBC, OFB and CFB are identical, however OFB/CFB is better because you only need encryption and not decryption, which can save code space.

  • CTR is used if you want good parallelization (ie. speed), instead of CBC/OFB/CFB.

  • XTS mode is the most common if you are encoding a random accessible data (like a hard disk or RAM).

  • OCB is by far the best mode, as it allows encryption and authentication in a single pass. However there are patents on it in USA.

The only thing you really have to know is that ECB is not to be used unless you are only encrypting 1 block. XTS should be used if you are encrypting randomly accessed data and not a stream.

  • You should ALWAYS use unique IV's every time you encrypt, and they should be random. If you cannot guarantee they are random, use OCB as it only requires a nonce, not an IV, and there is a distinct difference. A nonce does not drop security if people can guess the next one, an IV can cause this program.
myforwik  2009-08-03 06:18:24
Why is CTR more amenable to parallization?
Cheeso  2009-09-18 01:38:04
[CBC, OFB and CFB](http://en.wikipedia.org/wiki/Cipher_modes) are far from identical.
Jonathan Leffler  2010-10-17 02:46:08
CTR is amenable to parallelization because you can split the message into chunks, each chunk having a range of counter values associated with it, and encrypt (or decrypt) each chunk independently. By contrast, CFB relies on the output from the previous block as one of the inputs to the next, so it is rigorously sequential and inherently non-parallelizable. Similar for the other modes mentioned.
Jonathan Leffler  2010-10-17 02:47:47
A: 

Well, could you tell me the difference between AES-CBC and AES-CTR. WHich one is best for encryption and decryption for confidentiality, integrity and authenticaiton (CIA)?

kindly, zohirul

zahid  2010-10-12 20:26:03
Seems like this ought to be a new question.
Cheeso  2010-10-18 21:45:46

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords